CVE-2021-24826 Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

2022-03-0708:16:06

CWE-79

WPScan

www.cve.org

cve-2021-24826

custom content shortcode

authenticated

cross-site scripting

wordpress

contributor

admin

unfiltered_html

EPSS

0.001

Percentile

24.8%

JSON

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won’t be when the unfiltered_html is disallowed)

CNA Affected

[
  {
    "product": "Custom Content Shortcode",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "4.0.2",
        "status": "affected",
        "version": "4.0.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/e247d78a-7243-486c-a017-7471a8dcb800

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2021-24826